Ghidra scripts

• Ghidra scripts
  • Installing scripts
  • External references search
    • Instruction
  • Find Local XRefs in Decompiler's window
    • Instruction
  • Set entry points in selection
    • Instruction
  • Remove all references
    • From address
    • To address
    • Instruction
  • FindMultipleLabels
    • Instruction
  • FindNeededFunctions
    • Instruction
  • BasicBlockModelExample
    • Instruction
  • Example of parsing PE header
    • Instruction
  • Printing ASM/PCode/PCodeHigh/C
    • Instruction
  • Printing PCode
    • Instruction
  • Set default calling convention for functions in Selection
    • Instruction
  • Find references of the field of a structure
    • Instruction
  • Rename functions in the Selection
    • Instruction

Installing scripts

Please read ${GHIDRA_HOME}/docs/GhidraClass/Intermediate/Scripting_withNotes.html and Ghidra Script Manager section of Help.

External references search

ℹ️	Source file

Script finds all references to the functions and data from all external programs (shared libraries), then creates additional memory blocks and transfer all info about functions (name, signature, additional info) and data (name, also create comment with value and annotation with link to external program). A source type of symbols will be IMPORTED, a source type of parameters will be IMPORTED, if parameters of the original function don't have DEFAULT source type, otherwise a source type will be DEFAULT too.

Instruction

1. Import binary file.

2. Analyze it.

3. Add needed external programs (see Figure 1):

   • Window → External Programs
   • Add External Program Name
   • Set External Name Association

   

   Figure 1. Added External Programs

4. Run the script (choose memory blocks if needed, see Figure 2).

   

   Figure 2. Choose needed memory blocks

Before	After

Figure 3. Before and after running the script

ℹ️	You can run the script multiple times.

⚠️ Warning:

• script will not change user-defined symbols (you should delete user-defined symbols, if you want to import information from external symbols);

• you should look symbols with Global namespace (not external) for finding xrefs to external functions and data (see Figure 4).

Figure 4. Symbol with Global Namespace have true references

Find Local XRefs in Decompiler's window

ℹ️	Source file

The script try to find all references for local variables in Decompiler's window like in IDA Pro or Binary Ninja.

Instruction

1. Make a highlight of needed variables (see Figure 5). You can use middle button of a mouse or other algorithms for highlighting, for example Def-Use, Forward Slice, etc.
2. Run the script or press Ctrl-X.

Figure 5. XRefs to local variables

Set entry points in selection

ℹ️	Source file

Script set all labels (functions) in selection as Entry Point.

Instruction

1. Select required functions through Functions window.
2. Run the script.

Remove all references

Use for clearing of the analysis results.

From address

ℹ️	Source file

To address

ℹ️	Source file

Instruction

1. Select addresses or set the cursor to one address.
2. Run the script.

FindMultipleLabels

Print all symbols (and their addresses) with multiple labels. Maybe useful for Version Tracking session.

ℹ️	Source file

Instruction

1. Run the script.

FindNeededFunctions

ℹ️	Source file

Find all functions with parameters, which will be dereferenced.

Instruction

1. Run the script.

BasicBlockModelExample

ℹ️	Source file

Prints all basic blocks of the program (change the source code for printing an interesting information) with sources and destinations information (other basic blocks).

Instruction

1. Run the script.

Example of parsing PE header

ℹ️	Source file

The script parses PE header and print an entry point address (address of a valid function) from optional header.

Instruction

1. Run the script.

Printing ASM/PCode/PCodeHigh/C

ℹ️	Source file

The script should be used in headless mode. May be useful for debugging of a decompiler and writing Sleigh code. The script can print ASM code, PCode, PCodeHigh, decompiling C code (use arguments).

⚠️ Warning:

• the script can damage the target project, you should to watch the arguments for GhidraHeadless.

Instruction

See comments in the script file.

Printing PCode

ℹ️	Source file

The script prints high PCode to console. May be useful for debugging of a decompiler. You should know, that the AST of high PCode and the AST of any varnode may be different in a scope of the same function.

Instruction

1. Run the script.

Set default calling convention for functions in Selection

ℹ️	Source file

The script set default convention (see Language ID) for all functions in the selection.

Instruction

1. Select needed functions. I recommend do it through Functions window, where you can sort and filter functions.

2. Run the script.

Find references of the field of a structure

ℹ️	Source file

The script finds all references to the field of a structure.

Instruction

1. Set cursor at the field of a structure in the Decompiler window.
2. Run the script.

Rename functions in the Selection

ℹ️	Source file

The script rename all functions in the selection to one name.

Instruction

1. Select all needed functions (bytes) for renaming.
2. Run the script.